AppLocker uses the Application Identity Service (AppIDSvc) for rule enforcement. For AppLocker rules to be enforced, this service must be set to start automatically in the Group Policy Object (GPO).
While the configuration options are unique to each customer and application, Rockwell Automation has provided a sample policy that you can use as a guideline to help assist you in getting started. This sample policy can be downloaded from this Knowledgebase article: https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989. For more information on AppLocker rules, refer to http://technet.microsoft.com/en-us/library/dd759068.aspx.
Importing the Rockwell Automation example policy can be done through the following steps:
- Open Local Group Policy Editor by going to Start | Run and entering gpedit.msc.
- Navigate to Application Control Policies | AppLocker. Right-click on AppLocker and select Import Policy...:
- Navigate to the place where you downloaded the AppLocker_RAUser.xml file and import it. This will replace any existing policies with the downloaded example policy.
- Now within the AppLocker policy that is loaded onto your system, the individual rules of the policy can be observed, studied and used as a starter policy to expand upon:
This only provides a starting point for a handful of Rockwell Automation applications, but allows for easy expansion with other applications. Backed by a well-designed patch management process, endpoint hardening is the most effective method of repelling exploits and attacks.